gh0strat | ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

General

Target

ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0.exe
Size

168KB
MD5

6fab44045e90ca4673c331bfd84f0ee9
SHA1

b9c5991228e3870266d0a7a7741734ad4f026ce5
SHA256

ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0
SHA512

05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024
SSDEEP

3072:a55WhN9npi8X7+0rbaemqKKgrkF0tIjnK0LHB8BwXc4+4uFXBfOJ4lQHwmj3ypdX:a55WzZX7+0rb1mq+lIj3LHmBwXcxfXFP

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b2d2-55.dat	family_gh0strat
behavioral1/files/0x000500000000b2d2-57.dat	family_gh0strat
behavioral1/files/0x00090000000126c8-58.dat	family_gh0strat
behavioral1/files/0x000b0000000126a6-59.dat	family_gh0strat
behavioral1/files/0x000b0000000126a6-60.dat	family_gh0strat
behavioral1/files/0x000b0000000126a6-62.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Executes dropped EXE 2 IoCs

pid	Process
2028	ywkkso.exe
860	hrlF00.tmp

Loads dropped DLL 3 IoCs

pid	Process
2028	ywkkso.exe
2028	ywkkso.exe
2028	ywkkso.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	ywkkso.exe
File opened (read-only)	\??\O:	ywkkso.exe
File opened (read-only)	\??\T:	ywkkso.exe
File opened (read-only)	\??\V:	ywkkso.exe
File opened (read-only)	\??\X:	ywkkso.exe
File opened (read-only)	\??\Z:	ywkkso.exe
File opened (read-only)	\??\L:	ywkkso.exe
File opened (read-only)	\??\K:	ywkkso.exe
File opened (read-only)	\??\N:	ywkkso.exe
File opened (read-only)	\??\G:	ywkkso.exe
File opened (read-only)	\??\F:	ywkkso.exe
File opened (read-only)	\??\H:	ywkkso.exe
File opened (read-only)	\??\I:	ywkkso.exe
File opened (read-only)	\??\Q:	ywkkso.exe
File opened (read-only)	\??\R:	ywkkso.exe
File opened (read-only)	\??\S:	ywkkso.exe
File opened (read-only)	\??\U:	ywkkso.exe
File opened (read-only)	\??\E:	ywkkso.exe
File opened (read-only)	\??\Y:	ywkkso.exe
File opened (read-only)	\??\W:	ywkkso.exe
File opened (read-only)	\??\P:	ywkkso.exe
File opened (read-only)	\??\J:	ywkkso.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ywkkso.exe	ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0.exe
File opened for modification	C:\Windows\SysWOW64\ywkkso.exe	ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0.exe
File created	C:\Windows\SysWOW64\hra33.dll	ywkkso.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	ywkkso.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	ywkkso.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 860	2028	ywkkso.exe	28
PID 2028 wrote to memory of 860	2028	ywkkso.exe	28
PID 2028 wrote to memory of 860	2028	ywkkso.exe	28
PID 2028 wrote to memory of 860	2028	ywkkso.exe	28

C:\Users\Admin\AppData\Local\Temp\ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0.exe
"C:\Users\Admin\AppData\Local\Temp\ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0.exe"
1⤵
- Drops file in System32 directory
PID:1292

C:\Windows\SysWOW64\ywkkso.exe
C:\Windows\SysWOW64\ywkkso.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\TEMP\hrlF00.tmp
  C:\Windows\TEMP\hrlF00.tmp
  2⤵
  - Executes dropped EXE
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ywkkso.exe

Filesize
168KB

MD5
6fab44045e90ca4673c331bfd84f0ee9

SHA1
b9c5991228e3870266d0a7a7741734ad4f026ce5

SHA256
ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

SHA512
05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024

Download Submit
C:\Windows\SysWOW64\ywkkso.exe

Filesize
168KB

MD5
6fab44045e90ca4673c331bfd84f0ee9

SHA1
b9c5991228e3870266d0a7a7741734ad4f026ce5

SHA256
ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

SHA512
05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024

Download Submit
C:\Windows\Temp\hrlF00.tmp

Filesize
168KB

MD5
6fab44045e90ca4673c331bfd84f0ee9

SHA1
b9c5991228e3870266d0a7a7741734ad4f026ce5

SHA256
ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

SHA512
05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
176KB

MD5
16d420ad185c870e0ec5c248dcc09bbf

SHA1
817a79befc5f940f3dd82a75749488868929d612

SHA256
3bbb2c3cc011b81c5dc0e49e94a0d1250a8c6fe54efcd1a61d478a1552da2d49

SHA512
515509856a02ac468a0951fbc46724b50e7889f975242b34dd8bde56dc7a8f3d24e5a0df6a2ab3e47a82b642802f052651fbdaccc64fb399ddd20baa0136416e

Download Submit
\Windows\Temp\hrlF00.tmp

Filesize
168KB

MD5
6fab44045e90ca4673c331bfd84f0ee9

SHA1
b9c5991228e3870266d0a7a7741734ad4f026ce5

SHA256
ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

SHA512
05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024

Download Submit
\Windows\Temp\hrlF00.tmp

Filesize
168KB

MD5
6fab44045e90ca4673c331bfd84f0ee9

SHA1
b9c5991228e3870266d0a7a7741734ad4f026ce5

SHA256
ccf989ed46b37a95539e639d7d48202498f8fe1401e11e6190d3e4a124e255e0

SHA512
05c75c864730a387646123210aeb359845c01219981d1a69958f886d9931a8e240ae1c05e3f72175549e84204e8758b789bb1ff3575da58b73c326bc2e858024

Download Submit
memory/860-61-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing